Hi, not sure I understand your use-case properly. Also not sure how much sense it has as login is always SSO and logout is always single-sign-out. Maybe there is possibility to do this with our "identity providers" and have 2 keycloak realms when 1 realm will be provider and second realm consumer. There are some disadvantages of this approach (eg. duplicated users), but maybe you can achieve what you want with this.. Marek On 20/03/17 16:02, Marc Tempelmeier wrote:

Hi, I understand that I have to explain my use-case better. We want to combine Magento CMS/Shop, OpenEDX, another C# desktop program (RL) and Keycloak. The idea was to have everywhere the same users, because they buy access codes for our RL in Magento and have to login in RL too. It would be odd if one logs out in the shop and logs out in the program too. So the idea was to allow login from Magento OR RL, opened should forward to Magento in this case. RL has no logout at the moment, but the logout at Magento should logout Magento and OpenEDX, but _not_ RL. Thanks for your help so far! Best regards Marc Von: Thomas Darimont [mailto:thomas.darimont@googlemail.com] Gesendet: Monday, March 20, 2017 9:22 PM An: Marek Posolda <mposolda(a)redhat.com&gt; Cc: Marc Tempelmeier <marc.tempelmeier(a)flane.de>; keycloak-user(a)lists.jboss.org Betreff: Re: [keycloak-user] Keycloak and 3 clients Hello Marc, I think the following setup will suit your requirement (assuming all 3 apps are web apps) Create a confidential client for each of the 3 apps in the same realm. Treat 1 app as "manager" app. The other apps are "workers". Secure each app with an appropriate keycloak adapter and configure an appropriate Admin URL for the client such that Keycloak can propagate logouts to them. In the "manager" app use the default keycloak logout of your adapter functionality when a user clicks on logout. However in the worker app only kill the current http session of the app on "logout" and release app local resources then redirect to some kind of central launch pad, potentially part of the "manager" app. If a user now clicks on an application icon on the launch pad he will be sent to the app without having to login. If a user performs a logout from the manager app the real logout will be performed. If the user then tries to access an app he as to login again. This "pseudo" logout still releases some resources and gives the user the "impression" that they did their job of logging out every time. This helps to deal with users which are used to work with not integrated web apps but still don't want to login every time... Cheers, Thomas 2017-03-20 19:45 GMT+01:00 Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>: Hi, not sure I understand your use-case properly. Also not sure how much sense it has as login is always SSO and logout is always single-sign-out. Maybe there is possibility to do this with our "identity providers" and have 2 keycloak realms when 1 realm will be provider and second realm consumer. There are some disadvantages of this approach (eg. duplicated users), but maybe you can achieve what you want with this.. Marek On 20/03/17 16:02, Marc Tempelmeier wrote: _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user